When you pick up your telephone and punch in a number, you expect that the contact is just between you and the person you call. Sure, you know your telephone carrier logs your phone’s activity. After all, a record of your mobile phone calls appears on your monthly telephone bill. And the bill for your landline phone includes information on calls made to phone numbers outside the local zone. But, what you don’t expect is that someone could use your calling history to pry into your personal life, even to physically harm you.

Since 1996, federal communications laws have required telephone companies to protect the confidentiality of your telephone calls. Under the law, carriers are obligated to ensure that your Customer Proprietary Network Information, or CPNI, is not disclosed to third parties without your consent. (Telecommunications Act of 1996, 47 U.S.C. §§151 et seq.).

CPNI is customer-specific information related to your use of a telecommunications service. The Telecommunications Act defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and... information contained in the bills ....”

Despite this restriction, in the years after 1996 instances of unauthorized access to telephone records exploded. Scores of Internet data brokers blatantly advertised the ability to obtain anyone’s telephone records in a matter of hours. Spurred by headlines and pressure from consumer groups, lawmakers and regulators have stepped up efforts to stop trafficking in telephone records. Are these measures effective? That remains to be seen.

This guide explains the current efforts to stop unauthorized access to your telephone records. It offers suggestions on how to protect your records, and it provides resources for additional reading.

What records does my telephone carrier keep?

You know from your monthly bill that your carrier tracks the telephone numbers you call, the duration of the call, and the date and time you made the call. If you use a cell phone, your location at the time you made the call is also often recorded. Records may also include information about calls you receive.

Data brokers that specialize in the sale of your telephone records advertise the ability to get cell phone, land line and Voice over Internet Protocol (VOIP) records. Nothing appears to be off limits for data brokers who sell your telephone records to anyone willing to meet their price, including calls from unlisted and unpublished phone numbers.

Why would someone want my telephone records?

Your telephone records reveal a great deal about your personal and professional life. Personal data that can be gleaned from tracking your telephone use seems to know no bounds. Your records may reveal not only who you call and who calls you, but also where you are when you make your calls.

The identity of your health care providers, your friends, and business associates are easily learned from your telephone records. Your calling habits can also reveal your daily routine, the times you first make calls in the morning until the last calls you make at night. If you are on vacation, your calling records may reveal where you are, even allow someone to guess at how long you might be gone.

You don’t have to be a celebrity, candidate for public office, or high-flying executive for someone to want your calling history. Famous people may be targets simply because of the “snooping” factor. But, more often than not, it is ordinary citizens whose records are sold by unscrupulous data brokers.

There are any number of reasons why someone would want your phone records. It could be to gain a business advantage, to ruin your reputation, harass you or even to physically attack you. No matter what the reason, it is almost certain that one who obtains your telephone records, either through a data broker or some other illegal means, intends to do you some harm.

Police officers and other law enforcement officials are prime targets. From an officer’s records criminals may learn about witnesses against them, confidential informants or otherwise effectively use an officer’s records to try to “even the score.” Victims of domestic violence and stalking are also prime targets. Illegally obtained phone records, although perhaps not admissible in court, may also be used to pressure you into settling in a nasty divorce case or acrimonious business dispute.

How does someone else get my telephone records?

The primary source for telephone records is your carrier itself. For years consumer advocates have said that telephone carriers lack adequate security measures to prevent unauthorized access. In the past, companies have not shown a willingness to monitor their own employees or to verify that requests for records come from the account holder.

Loose procedures by carriers have given rise to a thriving marketing in the sale of telephone records by unscrupulous data brokers. With little effort, data brokers have been able to obtain telephone records on order, often within a matter of hours. The ease of access to telephone records is apparent by the numbers of data brokers who once openly advertised their wares over the Internet.

A March 2008 report to Congress by the Congressional Research Service (CRS) identifies three primary methods used by data brokers to gain unauthorized access to your telephone records. These methods are:

When an employee of one of the phone companies sells the records to the data broker.

A practice called “pretexting” where a data broker pretends to be the owner of the phone and obtains the records under false pretenses.[1]

A data broker obtains the customer’s telephone records by accessing the customer’s account on the Internet.[2]

To read the CRS full report entitled Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers, March 10, 2008, see www.fas.org/sgp/crs/misc/RL34409.pdf[3]

It is now a federal crime for someone to pretend to be you or to submit phony documents to obtain your telephone records. The Telephone Records and Privacy Protection Act (TRPPA) of 2006 (P. Law 109-476, 18 USC §1039) calls it a crime to:

Make false statements or representations to an employee of a telephone company.

Make false statements to a customer of a telephone company.

Provide a document to a telephone company knowing that the document is false.

Access customer accounts via the Internet without prior authorization from the customer.

The law applies to cell phone and land line carriers as well as Voice over Internet Protocol (VOIP) records.

The TRPPA makes an exception for records obtained in an emergency or for law enforcement investigations conducted by federal, state or local law enforcement officials.

Before the TRPPA, the only federal criminal law that addressed pretexting was for financial data.

What are the penalties for someone who gets my telephone records through pretexting?

TRPPA violators potentially face a 10-year prison sentence in addition to fines. Violations that involve more than $100,000 or more than 50 customers can bring fines of up to $500,000 and an added five years in prison. Still stiffer penalties are possible if information gained through pretexting is used in domestic violence situations, stalking cases or against any law enforcement officer.

Can the government go after people who buy my telephone records?

Yes. Along with one who uses pretexting or other unlawful means to gain access to your telephone records, the TRPPA also covers anyone who sells, transfers, purchases or receives confidential telephone records. This means that the “customer” who orders your telephone records from a data broker can be punished along with the data broker who uses pretexting to obtain your records.

Is the FCC doing anything to stop data brokers?

The Federal Communications Commission (FCC) is the agency charged with enforcing the Communication Act of 1934. As such, the agency adopts rules and brings actions against telecommunications companies that violate the law and the FCC’s rules. After much consideration, the FCC recently updated its rules to address the problem of pretexting.

To fully appreciate the evolution of the FCC’s latest rules, a little background is needed. Since 1996 carriers have been required by law to protect confidential customer information, called customer proprietary network information or CPNI. Despite the FCC’s confidentiality rules, after 1996 instances of unauthorized access to customer’s telephone records exploded. Internet data brokers blatantly advertised to sell personal as well as business telephone records.

Consumer advocates and government officials alike agree on two points:

There is no legal way to obtain someone else’s telephone records without that person’s permission.

The only source for data brokers is the telephone carriers themselves.

By all accounts, trafficking in illegally obtained telephone records was a booming business by the late 1990s.

A number of factors have been cited as contributing to the success of these illegal operations. First, easy access to personal information such as name, address, and Social Security number make it easier for data brokers to pretend to be a telephone customer. Carriers' lax security policies made access easy. Carriers' failure to properly train, monitor, and discipline their own employees also played a part. Information sharing among carriers and outside companies for marketing was also cited as a factor fueling the market in illegally obtained telephone records.

Data broker operations have led to a flurry of lawsuits filed by state agencies and the carriers themselves. The Federal Trade Commission (FTC) has also filed federal court actions against many data brokers who illegally obtain customer telephone records through pretexting.

In August 2005, the Electronic Privacy Information Center (EPIC), www.epic.org[7], filed a petition calling on the FCC to adopt more stringent rules to address the epidemic of pretexting. Appended to its petition for rulemaking, EPIC included a list of 40 Internet data brokers that openly offered to sell business and personal telephone records.

EPIC’s petition specifically asked the FCC to require carriers to adopt more stringent security measures such as consumer-set passwords, an audit trail, and notice to consumers of an unauthorized access.

The PRC, joined by seven other consumer organizations, filed comments with the FCC in support of EPIC’s petition. To read the PRC’s comments, go to www.privacyrights.org/ar/FCC-CPNI.htm[8] . EPIC’s 2005 petition as well as a history of actions involving unlawful access to CPNI, can be found on the organization’s Web site at: www.epic.org/privacy/cpni/[9]

On March 13, 2007, the FCC issued a final rule adopting nearly all of EPIC’s proposals. The FCC’s latest rules adopt the following measures to combat pretexting. Now, carriers:

Cannot release call data over the telephone unless you provide a password. (But, you can get your records in person with a valid identification.)

Must notify you when a password has been changed.

Must notify you and the Federal Bureau of Investigation of an unauthorized disclosure.

Must get your permission, that is you must opt-in, before your CPNI can be shared with the carrier’s joint venture partners or an independent contractor.

Must file an annual certification with the FCC explaining any actions taken against data brokers and listing all consumer complaints about unauthorized access to CPNI.

The FCC's rules also extend the CPNI rules to Interconnected VolP service.

Yes, but the FCC’s rules put some limits on the practice. A telephone company can use your information to market its own products to you. For this, you can opt-out, that is tell the company you do not want to be marketed. However, a carrier can not share your information with its joint partners or outside companies unless you opt-in, that is give your specific permission to have your information shared for marketing.

State authorities have filed numerous lawsuits against data brokers and others who access telephone records through pretexting. Telephone carriers have also filed lawsuits against data brokers who obtain telephone records illegally.

The Amy Boyer case is another prominent pretexting lawsuit, in this situation, involving the murder of the stalking victim (Remsburg v. Docusearch). See the EPIC web site for more information: http://epic.org/privacy/boyer/[15]

In addition to lawsuits, some states are now adopting anti-pretexting laws. For example, California Penal Code Section 638 makes it a crime to purchase, sell or offer to purchase or sell telephone records without a customer’s consent. The California law also makes it clear that any information obtained through illegal means cannot be used in court.

Anyone who uses fraud or deceit to obtain telephone records in California is subject to a $2500 fine and one year in jail for the first offense. Subsequent offenses compound the penalties. The California anti-pretexting law can be found at www.leginfo.ca.gov[16]

Some other states that make the sale or receipt of telephone records obtained through pretexting illegal include:

To find out if your state law prohibits the unlawful sale and receipt of telephone records, contact your state utilities commission through the Web site of the National Association of Regulatory Utility Commissioners, www.naruc.org/commissions.cfm[23]

Information may also be available through your state attorney general. Contact for state attorneys general is available through the Web site of the National Association of Attorneys General, www.naag.org/[24]

Can I prevent unauthorized access to my telephone records?

No method is foolproof. There may be no way to guarantee complete security of your calling history. Certainly, the imposition of criminal penalties and tougher enforcement by the FCC and FTC will deter some data brokers.

However, history has shown that resourceful criminals, through new technologies and advanced schemes, are adept at staying one step ahead of the law. As long as someone is willing to run the risk and pay the price, efforts to gain illegal access to telephone records are likely to continue, albeit not as openly as before.

Even so, there are some things you can do to make it harder for someone to gain unauthorized access to your telephone records. Added measures are particularly important if you are a victim of stalking, domestic violence or are otherwise vulnerable.

Read your carrier’s privacy policy. Ask questions about what the carrier does to protect your privacy.

Opt-out, that is tell your company you are not open to unsolicited sales calls.

Set a password on your account. Do not use commonly known information or information available from other sources such as your Social Security number or date of birth.

Review your telephone bills as well as any notices that come from your telephone carrier.

Tell your carrier to deactivate online access to your account.

Be a good citizen. Report any advertisements you see for data brokers offering to sell telephone records. Forward this information to the FCC, www.fcc.gov[25], the FTC, www.ftc.gov[26], and your state Department of Justice or Attorney General.

Contact your state and federal representatives and urge them to adopt stronger anti-pretexting laws and increased punishment for those who sell and use your telephone records.

Federal crimes should also be reported to your local Federal Bureau of Investigation Field Office, and U.S. Attorney’s Office. Contact for these federal offices can be found in your local telephone directory under “government.”

Telephone records pretexting is also a crime under some state laws. Whether or not your state has a such a law, unauthorized access to your telephone records should be reported to your state attorney general. Contact is available through the Web site for the National Association of Attorneys General, www.naag.org[24]